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1.0 CERTIFICATION RESULTS 

!U) J83 Based on the certification review of the DCS 3000, several significant information assurance deficiencies were found. 
These findings are based on document review, interviews of both system administrators and users, and actual testing. 

(U) Since time limits prevented thorough testing of the DCS 3000, a suflScient sampling was made to draw conclusions about 
practices, capabilities and deficiencies. Tests were performed in priority order taking account the sensitivity of information contained 
therein and the importance for immediate continuity of the system in a time of crisis. 

(U) ^ The major deficiencies were in the areas of j 

(U) All of these deficiencies indicate a lack of proper infiastructure for the information assurance of the DCS 3000. Some of 
these are a direct result of the certification testing, and others are a result of interviews with both users and system administrators as 
well as review of existing documentatiofL 


1.1 Testing Constraints 

(U) Security should ensure that procedures, policies, and practices are in place to ensure data confidentiality, integrity, and 
operational availability of the DCS 3000. 

(U) With the exceptions noted in the Section 3.0, all tots were performed in the test environment. In addition to the 
certification and accreditation team members present at the tests, tot team participants included the CSSO, t echnical ji^oject manager 
August 27, 2002 
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and program kponsor. Test dates and participants are listed in Section 2.0 of this document 
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1.2 Major Findings 

(U) Numerous findings have been identified for the DCS 3000. These fall into both the technical and the policy/procedural 
areas. The following sections summarize the major findings. 

1.2.1 Technical Findings 


*»*******CAUTIONARY REMARK********** 

Suggestions for mitigating changes are included in several finding descriptions. The system owner/administrator must 
assume full responsihility for making such changes correct^. Before making any changes, the system components should he 
completely hacked up. The suggested changes should be researched to determine if there are more current fixes available. 
Caution is advised as to the proper order in which the changes are made, as they are usnally not independent of each other. 
FinaDy any changes should be made in compliance with current confignration management gnidelines. 

t***************************************** 


(U) The following tables briefly summarizes the technical findings: 


August 27, 2002 
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1.2.1 Technical Findings 


(H) {Sj The following table briefly summarizes the technical findings. These findings i 
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Major Secuntj Findings 

Test Caw Scan Report 

6 tn! 

— 1 1 

VS-03 

Users.txt 
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Major Security Findings 

= 

Te«.t Case 

Scan Report 

2. m 

m\ 

n 

VS-01 

Pages 3-5, 7, 20, 26 of 





Workstation 
Vulnerability Report . 

' 




1 

1 




1 









b2 

b7E 

CAUnON : If the Interactive user does not have write pennission at the root key, then ordinary usas win 
1 1 not be able to install appKcalions that expose DCOM objects. 
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b7E 




SI-03 

Refer to page 23 of this 

L=j 

1 - — 1 


document. || 


1.2.2 Procedural/Policy Findings 

Ths following list identifies the policy and procedural findings: 


None found. 

2.0 TEST SCHEDULE 

(U) Testing was scheduled to occur between August 22, 2002 and August 23, 2002. Data entry, analysis and final editing of 
this document occurred between August 27, 2002 and August 3 1, 2002. 


(U) The following table lists the test script groups and the dates that testing, results recording and analysis was completed for that 
group. 




'i est Script (^nd Result File 

TesfiiqrUiHnpleted - 

l^lb 

Completed 

DISA Windows 2000 SRR scripts 

8/22/02 

8/27/02 


ISS Vulnerability Scan (System) 

8/23/02 

8/27/02 


CISCO scanner software 

8/23/02 

8/27/02 
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3.0 TECHNICAL TESTS AND TEST RESULTS 

(U) The following pages describe the actual tests p^oimed. The tests are grouped as in the previous table. The order of the 
groups is essentially the sequence in which they were performed. 

(U) Each test case includes a Test Description, the relevant Requirements, tlie desired Test Preparation, a table of Test 
Procedures and Results, and Analysis of Results, and finally a Pass/Fail table. 

(U) Several test cases used automated vulnerability scanner test scripts. The results of these scans provide the detailed 
vulnerabilities, i.e., those specific items that must be fixed by modifying the system or determining the history of prior changes. 
These detailed results are the basis for several of the major findings reported herein. They are not included in this document, as they 
are directed towards system administrators whose job it will be to make the DCS 3000 adequately secure. However, they are 
available on request They include: 


1 ) (U) Security Readiness Review (SRR) scripts, Windows 2000 iest results and iindings 

2) (U) ISS System Scanner lest results and iindings 

3) (U) CISCO SYSTEM scanner test results and findings 

4) (U) Manual lest scripts and findings 
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BANNERS AND LABELS TEST SCRIPTS AND RESULTS 

(U) Test Case BL-01: Test for Standard Security Warning Banner 

(U) Description: This test determines if the standard security warning banner appears prior to login on both servers and workstations. 

(U) Preparation: The system administrator shall send a system alert message to all users to save work and logout to allow testing. 

All workstations attached to the system network must be powered-up. They should not be logged on. 


fUl Procedure: 


li'i -li* Bji 


JaIc Tested 

. 

1 

Press CTRL+ALT+DKT.RTB keys to 
unlock the console (if locked) and to 
initiate the l<®n process on the Primaty 
Domain Controller. Lc^jn using a valid 
user ID and password. X.c^ut and lock 
console. 

For each of a sample of workstations 
usii^ an NT-based operating system in 
several locations, power up and press 
CTRL+ALT+DELETE to initiate the 
login process. Login using a valid user 
ID and password. Look for the warning 
banner. Shutdown. 

Standard warning banner should appear at 
a point prior to login. 

8/23/02 

As ejqrected (The standard FBI banner 
does exist.) 


.■ - . . 
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(U) MIOG 3S-9.3.1(5Xb): The following banner shall be displ^ed on all Pass 
FBI ADPT systems at a point prior to the user signing onto the system: : 

"This FBI system is for the sole use of authorized users for official business 
only. You have no expectation ofprivacy in its use. To protect the system 
from unauthorized use and to insure that the system is fimctionii^ properly, 
individuals using this computer system are subject to having all of their 
activities on this system monitored and recorded by system personnel. 

Anyone using this system expressly consents to such monitoring and is 

advised that if such monitoring reveals evidence of possible abuse or 

criminal activity, system personnel may provide the results of sudi 

monitoring to the appropriate officials." 
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(U) Test Case BL-02: Verifying Hardware has Proper Government Property Tags and Labeled with Proper 
Security Labels 


(U) Test nescrintion: This physical inspection checks for the existence uraptnopriate security labels afGxed to hardware. 


(U) Test Preparation : None. 


fUl Procedure: 


[■I 

Prnndurc 

FapeeMOulcoma 

IXiieTrided 

Actiul Outcome 

1 

All System equipment shall be examined 
for the proper security label. 

Hardware processmg, transminmg or 
storing data should have be labeled at 
the highest security level of the data 
handled. 

8/23/02 

As expected. 

2 

Review procedures for handling hard 
disk drives from system hardware, either 
for destruction or transfer. 

Must be handled only by FBI personnel 
and not leave controlled &cility, as per 
requirements. System maintenmice staff 
must be aware of and follow such 
procedures. 

8/23A12 

As expected 




HB 

^7 y i i V ^ 7.77 



(U) MIOG 35-9.4.10(lXa): All systems with non-removable ADPT storage 
devices must conspicuously display classification and data descriptor labels 
on the unit that contains the magnetic ADPT storage device. The monitor 
may also be labeled 

Pass 
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Requircmcnl 

Pa’ts'l'hll 

<.nmmenl 

(Ul MIOG 35-9.4.13(1): ADPT equipment and storage media that has 
processed FBI information may only be reused (e.g, transferred to another 
unit) within FBI control systems (i.e., formal access prt^aitB, SCIF, and 
TEMPEST) after th^ have been cleared by FBI employees. The 
microcomputer or ADPT storage media remaiits labeled and secured to the 
hipest level of information ever entered into, stored on, or processed by the 
II device. 

Pass 


(U) DOJ 2640.2D 26.b. IT systems shall contain an external classification 
II marking authorizing the level of irrfotmation that can be processed. 

Pass 
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(U) Test Case BL-03: Verily Removable Media has Proper Security Labeling. 

Verily the existence of proper procedures for Disposal of hard Copy/Magnetic Media. 
Verily Backup Media Protection. 


(U) Test Descriotioii: Confinn that removable media has the proper SF-707 classification and data descriptor labels. Examine diskettes, CDs, 
back-up tapes. Confirm that there are procedures in place to address the disposal of fixed and removable magnetic media, hard copy and printer 
ribbons. Confirm that backup media and installation are properiy labeled as to date, and ja-operly protected. Examine storage area. 



(U) Pass/Fail : 
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Reqniremtai 

Pms/Fail 

i onniiEnl 

(U) MIOG 35-9.4.10(1X0); Removable media must be labeled with 
external markings. An exception to this policy is granted for computer 
center operations supporting a computerized tape management system that 


N/A 

the media remains in FBI controlled space. However, all magnetic media 
leaving FBI controlled spaces must be labeled with the external 
classification and data descriptor labels. 

(U) MIOG 35-9.4.14(lXc): When inoperable diskettes tape cartridges 
printouts ribbons and similar items used to process sensitive or classified 
information must be destroyed in accordance with MIOG Part H Section 26. 


N/A 

(U) MIOG 35-9.4.14(lXd); When inoperable hard disks used to process 



disposal following procedures provided in MIOG Part II Section 26. 
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(U) Test Case BL-04: Data Record Marking 

(U) Descrinflon: This test contains several tests to determine if the means exist to effect a page or record labeling mechanism for security 
markings. 


(U) Preparation: None 


tU> Procedure: 


tel 



Bate Tested 


‘ 

Review data dictionaries for the Oracle 
database application tables to detennme 
if required securiq? markir® fields are 
included. 

Fields are included on the data 
dictionaries. 


N/A 

2 

Review a sample of records from the 
Oracle database application to determine 
whether the security marking fields are 
populated appropriately. 

Sample shows that fields are populated 
appropriately. 


N/A 
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SYSTEM INTEGRITY TEST SCRIPTS AND RESULTS 


(U) Test Case SI-01: Test for Anti-Virus Protection 

(U) Description : 

This test determines if then necessary preparations have been made to protect the system from viruses. This includes having current virus 
signature data. 


(U) Preparation : 

The ^stem administrator shall be able to verify existing anti-virus mechanisms. 



Frncedurc 

Expected Outcome 

Date rested 

Actual Outcome 

1 

The S A shall log onto each 
workstation among the sample 
allocated for this purpose, as 
administrator, and open the anti- 
virus protection program. 

Observe what resources are 
scanned, and the frequency at 
which automatic scans are 
performe4 and at what level of 
detail, e.g., executables, files, boot 
sector. 

All fl(9py disk volumes must be 
scanned when mounted. The boot 
sector, and key system files should 
be scanned on startup. Detailed 
scanning of all files should occur 
at least weekly at a designated 
time that has the least impact on 
work productivity. 

8/23/02 

FaU 

No anti-virus software was found. 

2 

The S A shall determine on each 
selected woricstation, the date of 
the virus signature data file(s) in 
place. 

They should not be more than one 
week older than the latest 
available from the vendor. 

8/23/02 

Fail 

Presently, there are no virus 
checking programs in place 
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(U) MIOG 35-9.4.4(4): Whenever a virus infection is detected, 
it should be reported to the ADPT Security Ofiicer. 

Fail 

Presently, there are nc 
in place 

virus checking programs 

(U) MIOG 35-9.4.5(4): Vendor diagnostic software must be 
scanned, write-protected, and retained by the Computer 
Specialist Only this copy of the software may be used on FBI 
ADPT systems. 

Fail 

Presently, there are nc 
in place 

virus checking programs 

(U) DOJ 2640.2D 10. Components shall establish procedures 
to ensure that computer software installed on component IT 
systems is in compliance with applicable copyright laws and is 
incorporated into the system's ILTe cycle management process. 

Fail 

Presently, there are nc 
in place 

• virus checking programs 

(U) DCID 6/3 MalCode: Procedures to prevent the 
introduction of malicious code into the system, including the 

Fail 

Presently, there are nc 
in place 

> virus checking programs 


timely updating of those mechanisms intended to prevent the 
introduction of malicious code (e.g., updating anti-vind 
software). 
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(U) Test Case SI-02: Verifying System Data and Program Backup and Restore 


Test Description: 

This test determines the extent to which system backup and restore are operational. 


Test Preparation : 
None. 


step 

Procedure 

Expected Outcop .0 

Date Tested 

Actual Outicnmp 

1 

Review back-up job streams used 
to perform to determine if all 
software and data is included in 
the backups. 

All data and software should be 
backed up. 

8/23/02 

According ti| | 

backups are handled centrally by 
FBI on FBINET.. 

2 

Determine where backup media 
are stored. 

Media should be stored in a 
secured locatioiL Periodically, 
complete backup media must be 
stored at an off-site locatioiL 

8/23/02 

According to| | 

backups are handled centrally by 
FBI on FBINET. 

3 

Determine if it is possible to 
restore to a computer with lower 
security protection. 

No computer with drives capable 
of reading the backup media 
should be co-located with the 
system that is cleared to a lower 
security level 

8/23/02 

As expected. 
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gj> Pass/Fail: 



(U) MIOG 35-8. 1.2(3): System security plan documentation is 
required for every classified and sensitive FBI ADPT sjBtem. The 
components of a system security plan are: 

a) system security plan following OMB 90-08 or its successor 

b) documented risk management actions pertaining to die ADPT 
system 

c) ceriificalion statement that reflects the results of ceifification tests 
of die securi^ features applicable to the system 

d) contingent^ plan which consists of an emergency response plan, 
backup operadons plan, and post-disaster recoveiy plan 

e) standard securhy procedures for users and operators of the system. 

Pass 


DCID 6/3 Doc 1: Dooimentalion shall include: 

A System Security Plan. 

A Security Concept of Operations (CONOPS) (the Security 
CONOPS may be included in the System Security Plan). The 
CONOPS shall at a minimum include a description of the purpose of 
the system, a description of the system architecture, the system’s 
accreditation schedule, the tystem’s Protection Level, integrity Level- 
of-Concem, availability Level-of-Concem, and a description of the 
fiictors that determine the system’s Protection Level, integrity Level- 
of-Concem, and availability Level-of-Concem. 

Pass 


DCID 6/3 Doc2: Documenlatioa shall include giide(s) or mamial(s) for Uie system’s 
privileged users. The inanual(s) shall at a minimum provide infonnatian on (1) configuriiig, 
installh^ and opetath^ the system; (2) mahit^ optimum use of the system’s security features; and 
(3) identiiying known security vulnerabilities riding the configuration and use of adminisitative 
ftmctions. The documentation diall be updated as new vulnerabilities are identified. 

Pass 


(25) 




S}rstem Security Plan (SSP) 

DCS 3000 

Appendix F - Pre-Test Results and Finding 


Rt^iuirenienf 

Pass/Paii 

Oomment 

DCID 6/3 Doc3: The DAA may direct that documentation also shall 
include; 

Certification test plans and procedures detailing the implementation of 
the features and assurances for the required Protection Level 

Pass 


Reports of test results. 



A general user’s guide that describes the protection mechanisms 
provided and that supplies guidelines on how the mechanisms are to be 
used and how they interact 



DCID 6/3 VeriC: Verification by the DAA Rep that the necessaiy 
security procedures and mechanisms are in place; testing of them by the 
DAA Rep to ensure that they worit appropriatriy. 

N/A 


(U)DOJ2640.2D9.1. [Components shall:] Develop a contingency 
plan for each general support system and major application. 
Contingency plans shall: 

(1) Identify the priorities of the system for restoration, taking into 
consideration the system's role in fulfilling Department mission and 
interdependency requirements. 

(2) Determine the maximum amount of elapsed time permissible 
between an adverse event and putting the system's contingency plan 
into operatiotL 

(3) Determine the maximum amount of data and system settings that 
can be lost between flie service interruption event and the last back-iq> 
(this measure shall determine system back-up policies). 

(4) Identify interdependencies with other systems (ie., other 
component, Federal, State or local agencies) that could affect 
contit^ency operations. 

(5) Identify system owners, roles, and responsibilities. 

Pass 
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RiHiuiremenf 

Patts/PaO 

roiiimcnt 

(U) DOJ 2640.2D 9.2. [Components shaU:] Develop and maintain 
site plans that detad responses to emetgencies for IT facilities. 

Pass 


(U) DOJ 2640.2D 9.3. [Components shad;] Test 
contingency/biisiness resumption plans annually or as soon as 
possible after a significant change to the environment, that would alter 
the in-place assessed risk. 

Pass 


(U) MIOG 35-9.4.4(3): Executable software auOiorized to run on an 
FBI ADPT system shaU be identified in the system security plan. The 
level of protection must be commensurate with the sensitivity of the 
information processed. At a minimum, such media should be backed 
up and stored physically separated from the system or at an off-site 
location. 

Pass 
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(U) Test Case SI-03: Verifying System Int^rify Safeguards 

nt to which ^tem integrity safeguards are in place. 



Procedure 

KtqfieetcdOuticnme . 

Date Tested 

.Actual tiutcome 

1 

Verify that access to update source 
code is iiniited to specified 
progranuneis. Application user 
should attempt to update application 
source code. 

Access to update the source code 
should be Uinited to two persons. 

8/23/02 

As expected 


^ Pass/Fail: 


Kcqulremcnt 


" ' 1 

MIOG 35-9.4.4(3): requires that safeguards must be in place to detect 
and minimize inadvertent or malicious modification or destruction of 
an ADPT system's application software, operating system software, 
and critical data files. The safeguards shoidd achieve the int^rify 
objectives and should be documented in the system security plan. 

Pass 


DOJ 2640.2D 8. Component IT systems shall be exammed for 
security prior to being placed into operation. All IT systems shall 
have safeguards in place to detect and minimize inadvertent or 
malicious modifications or destruction of the IT system. 

Pass 


DCn> 6/3 Integrtyl; Data and software storage integrity protection, 
including the use of strong integrify mechanisms (e.g., integrity locks, 
encryption). 

Pass 
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Requirement | Pass/Fne 

Comment 

DC ID 6/3 Integrty3: Inlegtity, including the implementatian of 
specific non-repudiation capabilities (e.g., digital signatures), if 
mission accomplishment requires non-repudiatioa 

N/A 
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(U) Test Case SI-04: Verifying System Software Licenses 


fU) Test Descriptioa: 

This test determines the extent to which commercial software used on Ifae ^tem is licensed. 


fUl Test Preparation : 

t he system administrator or program manager shah produce documented evid^ce of licences for commercial software used on system. 


LstepJ Procedure 

Expected Outcome 

Pi^fftted 1 Actual Outcome 1 

□ 

Verify all installed software is 
propeily licensed. 

1 All licenses are current and available 

— 

8-23-02 

As expected. 

1 


Requirement 

I'hiN.s/Faii 

iit .1? "V 'i::' ' i- 

(U) MIOG 35-9.4.4(5): Use of software shall comply with copyright laws. 

Pass 


(U) MIOG 35-9.4.5(4): Vendor diagnostic software must be scanned, wiite- 
protected, and retained by the Computer Specialist. Only this copy of the software 
be used on FBI ADPT systems. 

Pass 


(U) DOJ 2640.2D 10. Components shall establish procedures to ensure that 
computer software installed on component IT systems is in compliance with 
applicable copyist laws and is incoiporated into the system's life <^cle 
management process. 

Pass 
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ggeaaiji; 


NETWORK CONNECTIVITY TEST SCRIPTS AND RESULTS 
(U) Test Case NC-01: Intranet Connectivity 
fUi Test Description: 

This test determines if any Internet or intranet sites outside the system can be accessed from the system workstations. The first 
steps test if the system and other intranet computers can be reached via simple TCP/IP commands. This test is performed using 
all workstation operating systems. 

(U) Test Preparation : 

Test user accounts shall have been created. The systems administrator shall provide the IP addresses of the Primary Domain 
Controller. Test team will need IP addresses outside the netwoiic to ping. 


Step 

Pmcedurc 

tCxpccted Outeoine 

Date reated 

ACtusi 1 JincninF 

1 

The SA shall, on several workstations 
for each workstation operating 
system, attempt to use the TCP/IP 
Ping command to determine if the 
System PDCs win respond. On 
Wndows workstations, the MS-DOS 
window or the Run Command may 
be used. 

The PDC of the operadonal portion 
of the System should respond with 
several lines giving timing 
infonnation. The ping command to 
the PDC on the test portion of the 
System should time out 

8/23/02 

N/A The intranet was not used. 

2 

The SA shad, on at least one 
workstation for each workstation 
operating system, attempt to use the 
Ping TCP/IP command to determine 
if computers having selected sites 
assumed to be outside the network 
respond. 

No non-System site should respond, 
and the ping commands should time 

8/23/02 

N/A 
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!■ 

Procedure 

Expedad Outcumc 

Data Tested 

VctualOufcume 

3 

Using the workstation Web Browser, 
attempt to open the home pages for 
the browser vendor (these should be 
available in the setup options for the 
browser.) 

Attempts should fiiiL - 

8/23/02 

N/A 


All System personnel shall be asked 
to log onto the System using then- 
own account Usernames and 
passwords. Inspect directories that 
contain cookies, and addresses of 
sites visited, for outside locations. 

No non-System site locations should 
be referenced 

8/23/02 

N/A 
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(U) Pass/Fail: 

Requirement 

Pass/Pait 


Comment 


MIOG 35-6(4) Connectivity is prohibited between internal FBI 
ADPT systems and all other systems or networks not covered under 
the FBrs management authority without approval of the FBI 
accrediting authority. 

N/A 


MIOG 35-9.3. 1(6) Interconnections between sensitive and 
classified FBI ADPT systems and non-FBI ADPT systems must be 
established through controlled interfaces. The ADPT Security OflBcer 
must be consulted for guidance on establishii^ controlled interfaces. 
The controlled interfaces used in an ADPT system implemented as a 
network shall be accredited at tiie highest classification level and most 
restrictive classification category of information on the network. 

N/A 
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(U) Test Case NC-03: Verifying Physical Connections 


fLT) Test Description: 

This test looks for imdocumented maintenance ports, modems. No connectivity outside the network is expected. 

(U) Test Preparation : 

Etectronic technicians to provide access to wiring closets, as required, to provide available wirii^ diagrams, and equipment for continniQr 
testing and line-loss measurement. Wiring diagrams and installation line loss values shall be made available. 


|sicp 

Procedure 

K^prctad Outcome 

}>iiln f listed 

Actual Ontrome 

I 

The SA/ET staff shall physically 
verify each wire cormection 
beginning with the servers continuing 
throigh switches, hubs to each 
termination point, verifying cable 
numbers and ports. 

There should be accountabilify for 
each cormection as described on the 
network diagram. 

8/23//02 

As expected. 

2 

Line continuity tests shall be made to 
verify correct cable cormections and 
labeling. Line loss measurements 
shall be made to determine if a 
possible splice or break exists. 
Comparisons witfa documented line 
loss shall be made when installation 
values are available. 

Cables should be connected and 
labeled according to documentation. 
Line loss shall not indicate splice or 
break in line continuity. 

8/23/02 

As e.xpected. 
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# 


(LH Pass/Fail: 


RequinmKnl 

P«ss/F..il 

Commuil 

(U) MIOG 35-9.4.7: The ISAs and POCs must be able to identify all 
equipment processing storing or transmitting classified information 
whether operating as part of a network or in a standalone mode of 
operation. This requirement is in addition to the hardware and 
software inventory requirements stated in MIOG Part n Section 
16-18.9. 

Pass 
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AUTOMATED VULNERABILITY SCANS AND RESULTS 


(U) Test Case VS-01: Determine System Vulnerabilities Using the Internet Security Systems (ISS) System Scanner 

(U) Description : This test runs the ISS System Scanner vulnerability assessment tooL The ISS System Scanner is a network-based security 
assessment and policy compliance solutiotL System Scanner provides ongoii^ and decision-support reporting focused on the most critical aspects 
of managing risk. The Internet Scanner can perform scheduled and selective probes of communication services, operating systems, key 
applications and routers. As it “scans,” System Scatmer uncovers the most comprehensive set of vulnerabilifles like]^ to be exploited during 
attempts to breach or attack your network and provides you with the necessary corrective action. System Scanner also prepares reports and data 
sets to support sound, knowledge-based policy enforcement. 


fUl Requirements: 


(U) DOJ 2640.2D 7.h. Accreditations wMi conditions shall not be granted if system or application vulnerabililies permit the following: 

(1) Breaches to the confidentiality and integrity functions of the s3rstem or application and its data. 

(U) DOJ 2640.2D 16.a. [Access controls shall be in place and operational for all Department fl systems to:] Enable die use of resources such as 
data and programs necessaiy to fulfill job responsibilities and no more. 

(U) DOJ 2640.2D 16.e. [Access controls shall be in place and operational for all Department fl systems to:] Enforce separation of duties based 
on roles and responsibilities. 

(U) DOJ 2640.2D 16.f. [Access controls shall be in place and operational for all Department ff systems to:] Protect the system, its data and 
applications, fimn unauthorized disclosure, modification, or erasure. 

(U) DOJ 2640.2D 16.g. [Access controls shall be in place and operational for all Dqrartment IT systems to:] For ^ems operating in the ^stem 
hi^ mode of operation, the system security features must have Ae technical ability to restrict the user's access to only that information which is 
necessary for operations and for which the user has a need-to-know. 

(U) DOJ 2640.2D 38. Until reliable executable content scannit^ technology is available to address security concerns with regard to mobile code 
or executables obtained via the Web, the following shall apply: 

DOJ 2ti40.2D 38.8. All mobile code or executable content employed within a Department intranet shall be documented in the system security 
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plan and approved by the DAA. 

DOJ 2640.2D 38. b. As feasible, components shall inclement a code review and quality control process for deployed mobile code or executable 
content 

DOJ 2640.2D 38.c. For those instances where there is no operational need to download mobile code or executable content, the fl system shall be 
configured to prevent the downloadii^ of mobile code or executable content 

DOJ 2640.2D 38.d. Downloading of mobile code and executable content fiom a controlled interface between interconnected systems shall be 
permitted onfy when a boundary protection device appropriately configured (to handle Mtch a download) and is in place and approved by the 
DAA. 

(U) MIOG 35-9.3.1(1): Prior to March 6, 2000, ADPT systems used for the processing of classified or sensitive information in the System High 
Security mode of operation must have the functionality of the C2 level of trust defined in the Department of Defense (DoD) 5200.28-STD, 
“Department of Defense Trusted Computer System Evaluation Criteria.” The Trusted Network Interpretation of the Trusted Computer System 
Evaluation Criteria, National Computer Security Center Technical Guide 005 (NSC-TG-005), providM guidance on achieving C2 functimiality in 
a network. On October 8, 1999, die National Security Agency issued the "Controlled Access Protection Profile (CAPP)" to replace the C2 
standard. AH future procurements of DOJ computer systems operating in System Hi^ Security Mode MUST meet CAPP security requirements 
fi-om the above date forward. 


(U) MIOG 35-9.3. l(4Xe): Access Control: For systems operating in the Systems Hi^ Security Mode of Operation, access ccmtrol may be 
implemented throu^ discretionaiy access control techniques through measures such as file passwords, access control lists, disk encryption or 
other techniques, as defined in the approved system 50001% plan. 

(U) Preparation : The Certification Test Team shall provide the ISS System Scanner witii the latest vulnerahilily signatures. The System 
Administrator (SA) shall install the ISS Internet Scanner where needed. 


Step 

Procedure 


Tested 

<\ctnsiOuteume 

1 

Install the hitemet Security Systems 
System Scanner on server. 

Test application should install properly. 

8-22-02 

Asexpected 1 

2 

Execute the scanner tool setup 
procedures to test system serverfs) for 
Internet Information Server 
vulnerabilities. 

Setup should work properly. 

8-22-02 

As expected 

3 

Execute the scanning as per setup. 

Internet function scanning should proceed 
without a problem. 

8-22-02 

Asexpected 
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Step 

Procedure 


Date 

Tested 


‘ 

Compile and analyze the results. 
Detailed results will be mcluded as an 
attachment to this document. Summary 
statements of remaining vulnerabilities 
shall be contained in the analysis below. 

A properly configured server should not 
exceed this number and/or sevenqr of 
vulnerabilities. All required security patches 
should be installed. 

8-22-02 

As expected. 


(U) Analysis of Results : 




Comment 

(U) DOJ 2640.ZD 7.h. Accreditations with conditions shall not be granted if 
system or application vulnerabilities permit the following: 

(1) Breaches to the oonfidentiahty and integrity Junctions of the system or 
application and its data. 

Pass 


(U) DOJ 2640.2D 16.e. [Access controls shall be in place and operational for 
all Department IT systems to:] Enforce separation of duties based on roles and 
responsibilities. 

Pass 


(U) DOJ 2640.2D 16.f. [Access controls shall be in place and operational for 
all Department IT systems to:] Protect the system, its data and applications, 
fiom unauthorized disclosure, modification, or erasure. 

Pass 


(U) DOJ 2640.2D 16.g. [Access controls shall be in place and operational for 
all Department IT systems to:] For systems operating in the system high mode 
of operation, the system security feature must have the technical ability to 
restrict the user’s access to only that information which is necessary for 
operations and for which the user has a need-to-know. 

Pass 
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Re4uirinii>nt 


C oinment 

(U) MIOG 35-9.3. 1(1): Prior to March 6. 2000, ADPT systems used for the 
processing of classified or sensitive information in the System High Security 
mode of operation must have the functionality of the C2 level of trust defined in 
the Department of Defense (DoD) 5200.28-STD, “Department of Defense 
Trusted Computer System Evaluation Criteria.” The Trusted Network 
Interpretation of the Trusted Computer System Evaluation Criteria, National 
Computer Security Center Technical Guide 005 (NSC-TG-005), provided 
guidmce on achieving C2 functionality in a network. On Octobar 8, 1999, the 
National Security Agency issued the "Controlled Access Protection Profile 
(CAPP)” to replace the C2 standard. All future procurements of DOJ computer 
systems operating in System High Security Mode htUST meet CAPP security 
requirements from the above date forward. 

Pass 


(U) MIOG 35-9.3, l(4Xe): Access Control: For systems operatir® in the 
Systems High Security Mode of Operation, access control mty be implemented 
through discretionary access control techniques throu^ measures such as file 
passwords, access control lists, disk encryption or other techniques, as defined 
in the approved system security plan. 

Pass 
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(U) Test Case VS-03: Determine Windows Operating System Vulnerabilities Using the DISA Security Readiness Review Scripts 

(U) Features of the DISA Security Readiness Review fSRRi Scrmls : DISA SecuiiQr Readiness Review (SRR) Scripts - These scripts are 
designed to check the access control of each system or database. 

(U) Description: This test runs the DISA Seciuity Readiness Review scripts. General features are described above. 


(U) Preparation : The Certification Test Team shall provide the DISA SRR scripts. The system administrator (SA) shall install the DISA SRR 
script and batch files where needed. 


XliLO. 

edure: 

Sti- 

f :'' ' 

Procedure 


me 

Date 

Tusted 

^ = r-'r:- 


Install the DISA SRR scripts and 
batch files on the network Primary 
Domain Controller. 

Test scripts should install properly 

S'2t 02 

As expected. PDC is not seti^i for this 
configuration. 

2 

Execute the test scripts. 

Server scanning should proceed 
without a problem. 

8/23/02 

As expected. 

3 

Compile and analyze the results. 
Detailed results will be included in a 
separate document. Summary 
statements of remaining 
vulnerabilities shall be contained in 
the analysis below. 

A properly configured server should 
not have an excessive number and/or 
severity of vulnerabilities. All 

required security patches should be 
installed. 

8/23/02 

As expected. 


( U ) Analysis of Results : It was noticed on both workstation and server dtat all auditing was not turned on. The system administrator said there was 

a resource issue when capturii^ all the auditing data. More details are included in die attached results. 

(U) )^Pass/Faa: 


( 40 ) 



e 


o 


System Secnrity Plan (SSP) 

DCS 3000 

Appendix F - Pre-Test Results and Finding 


fiuquiromcnt 

Pass/FaK 


Comment | 

(U) DOJ 2640.2D 16.a. [Access controls shall be in place and 
operational for ^ Department IT systems to:] Enable the use of 
resources such as data and programs necessmy to fulfill job 
responsibilities and no more. 

Pass 


(U) DOJ 2640.2D 16.e. [Access controls shall be in place and 
operational for all Department IT systems to:] Enforce separation of 
duties based on roles and responsibilities. 

Pass 


(U) DOJ 2640.2D 16.f. [Access controls shall be in place and 
operational for all Department IT systems to:] Protect the system, its 
data and applications, fiom unauthorized disclosure, modification, or 
erasure. 

Pass 


(U) DOJ 2640.2D 16.g. [Access controls shall be in place and 
operational for all Department IT systems to:] For systems operatitig 
in the system hi^ mode of operation, the system security features 
must have the technical ability to restrict the user’s access to onfy that 

Pass 



has a need-to-know. 




GJ) MIOG 35-9.3. 1(1): Prior to March 6, 2000, ADPT systems used 
for the processing of classified or sensitive information in the System 
Ifigh Security mode of operation must have the functionality of the 
C2 level of trust defined in the Department of Defense (DoD) 
S200.28-STD, “Department of Defense Trusted Compute System 
Evaluation Crtteria.” The Trusted Network Interpretation of the 
Trusted Computer System Evaluation Criteria, National Computer 
Security Center Technical Guide 005 (NSC-TG-005), provided 
guidance on achieving C2 functionality in a network. On October 8, 
1999, the National Security Agency issued the "Controlled Access 
Protection Profile (CAPP)" to replace the C2 standard. All future 
procurements of DOJ computer systems operating in System High 
Security Mode MUST meet CAPP security requirements fi'om the 
above date forward. 

Pass 
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I Rcquiremenl 


Comment 

I 

(U) MIOG 35-9.3. l(4Xe): Access Control: For systems operating in 
the Systems High Security Mode of Operation, access control may be 
implemented through discretionary access control techniques throu^ 
measures such as file passwords, access contrcd lists, disk encryption 
or other techniques, as defined in the approved system S6cui% plan. 

Pass 
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WINDOWS 2000 SYSTEM POUCIES 

(U)TratCasePS-W2K-01: Verity System Policies 

(U) Description: This test identifies the elements of the Windows 2000 Security Policy as configured on the target system, and verifies 
compliance with requirements. Windows 2000 Security Policy elements ate grouped into categories including Account Policies (lockout and 
password), Local Policies (audit, user rights, and security options), and IP Security. The h/ficrosoft Management Console (MMC) is used to 
manage these security policy categories at the domain, group, user and local system levris. 

(U) Preparation: The SA must be able to access the server. SA should provide, if available the preferred policy configuration settings for system 
servers and the basis for their use. 
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Procedure: 

Sfep 

Procedure 


festEleinsnt 

ISxpected Outcome 

AlIujI aulcuiiie 

1 

From die MMC Console on 
the domain controller, 
observe the Default Domain 
Policy object (On a 
workstation or member 
server, observe the Local 
Computer Policy object). 

Observe the objects located 
under Computer 
Configuration/VIndows 
Settings/Security Settings. 



Security Settings objects 
shoidd include: 

Account Policies 
Local Policies 
IP Security Policies 

(Additional Security Settings 
objects may include Event 
Log, Restricted Groups, 
System Services, Registry, 
File System, and Public Key 
Policies. At present, these 

additional objects are not 
managed via the MMC). 

As expected. 

2 

Observe the Account 
Policies object, which should 
include the Password Policy 
and Account Lockout Policy 
objects. Open these two 
ol^ects and verify that 
effective settings comply 
with requirements. 


Password Policy || 


NO password history. 

As expected 

Currently set to zero days. 

Currently set at zero 
characters 

As expected 
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Hi 

Procedure 

Date Tested 

Test Element 

tbcpecti-dOufeume 





store password using 
reversible encryption 
for all users in die 
domain 

Disabled 

As expected 




Account Lockout Policy | 




Account lockout 
duration 

forever (sysadmin must 
provide new password) 

No account lockout 




Account lockout 
threshold 

3 invalid logons 

Not enable due to the 
previous finding. 




Reset account 
lockout counter after 
(time) 

Not defined 

Previous findings indicate 
this test element is not 
instituted. 

3 

Observe the Local Policies 


Audit Policy 1 


object, winch should include 
the Audit Policy, User 
R^hts Assignment, and 


Audit account logon 

Success and Failure events 
audited 

As etqpected. 


Security Options objects. 
Open these three objects and 
verify that effective settings 
comply with requirements. 


Audit acc<niiit 
management 

Success and Failure events 
audited 

As expected. 



Audit dkectoiy 
service access 

Success and Failure events 

Not activated. 


Requirements notes: 

The following roles can be 
removed; Operators 


Audit logon events 

Success and Failure events 
audited 

As expected. 


(Account, Backup, and 
Server), Guests, and Power 
Users. 


Audit object access 

Success and Failure events 
audited 

Not activated. 



Audit poliqr change 

Success and Failure events 
audited 

As expected. 
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Procedure 

Date Tested 

Test ekment 

JSspectsd Outcome 

Utuiil Outcome 




Audit privily use 

Success and Failure events 
audited 

As expected 




Audit process 

Success and Failure 
events audited 

As expected. 




Audit system events 

Success and Failure events 
audited 

As expected. 




User RIghCs Assignment | 




Access this computer 
fiom the network 

Administratots + (authorized 
groups) 

As expected. 




Act as part of the 
operating system 

Admin 

Not assigned 




Add workstations to 
domain 

Admin 

N/A 




Backup files and 
directories 

Admin 

Backup Operators 

Aserqrected 




Bypass traverse 
checkirtg (prevents 
inheritance of 
permissiorts. Needed 
fornS). 

Admin (if US is hosted on 
diis system, add Users) 

Backup operators and Power 
Users also have access. 
Admin and everyone. 




Change system lime 

Adiran 

As expected 




Create pagefile 

Admin 

As expected 




Debug progratm 

Aditdn 

As excepted 
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step 

Procedure 

Hate Tested 

Test Element 

Expected Outcome 

XctualOulcome 




Deny access to diis 
computer fiom the 
network 

Admin 

Not assigned on server. 

Generate security 

Admin 

Not assigned on server. 

Increase (disk) 
quotas 

Adndn 

As expected 

Increase scheduling 
priority 

Admin 

As expected 

Load and unload 
device drivers 

Admin 

As expected 

Logon as a batch job 

(as authorized and required) 

As expected. 

Log on locally (fiom 
local console) 

(Depending on application 
requirements, guests and 
anonymous users mi^t be 
permitted for workgroup 
webservers on protected 
networks. However, if all 
users can be authenticated to 
the Domain CrnttroBer, then 
only Admins, Domain Users 
and required inter-server 
connections would be 
permitted. ) 

THe followir^ group and 
users are allowed to Ic^on 
localty: 

Backup Operators 
Power Users 

Admin 

Guest 

Manage auditing and 
security log 

Admin 

As expected 
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ilH 

Procedure 

naie-lcsted 

TestEleniMt 

Expected Outcome 

Actual Outcome 




Restore files and 
directoiies 

Admin 

As expected 




Shut down the 
i^stem 

Adrt, 

Backup Operator, Power 
Users, Users, Admin 




Take ownership of 
files and other 

Admin 

As expected 




Security Options | 




Additional 

No 

As expected 




anonymous 

connections. 






AHow system to be 
shut down without 
having to log on 

No 

As expected 




Allowed to gect 
removable NTFS 
media 

Admin 

As expected 




Audit use of Backup 
and Restore pitvil^e 

Admin 

As expected 




Automaticaffy log off 
users when logon 
time expires (local) 

No 

As expected 
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Step 

Pmcedure 

Daiolcsted 


Exp<.>cti>d Oufnmte 

Aitual Oulcoiiie 




pagefile when system 
shuts down 

Yes 

As expected. 




E%itally sign cUent 
communication 
(when possible) 

n/a 





D®taBy sign server 

n/a 





(when possible) 






Disable 

CTRL+ALT+DEL 
requirement for 
logon 

No 

As expected 




LAN Manager 
Authentication Level 

Level 1 -Send LM&NTLM 
- use NTLMv2 (Kerberos) if 
n^otiated. 

n/a 




Message text for 
users attempting to 
It^on 

FBI Warning 

As ejqjected. 




Prevent users from 
installing printer 

Yes 

As expected 




Prompt user to 
change password 
before expiration 

Yes 

As expected 

L 



Rename 

administrator account 

Yes 

As expected 
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ClAH 


Date Tested 

Testl£leiHei.t 

ISkpected Oufeome 

\ttualOuU-onio j 




Rename guest 
accoimt 

No. (Must be disabled) 

Account disabled. 

Restrict CD-ROM 
lo^ed-on ibct onfy 

Yes 

As expected 

Secure channel; 
D^itaDy encrypt 
secure channel data 
(when possible) 

fi/a 


Unshed driver 
installation behavior 

No. 

As expected 

4 

Observe the EP Security 
Policy object Opentfie 
object and verify that 
effective settings comply 
with requirements. 

i 


IP Security Policy | 

Client (Respond 
Only): 

Communicate 

normally 

(unsecured). Use the 
default response rule 
to negotiate with 
servers that request 
secuiify. Onfy die 
requested protocol 
and port ii^c with 
that server is secured. 

Yes 

No policy set for server or 
workstation. 
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iSl 

rnici.'dure 


Date Tested 

Ti!Stli>m«nt 

fixperted Outcome 

.Xrtuid Outcome 





Secure Server 
(Require Secinily): 
For all IP traJGBc, 
alwsQrs require 
security using 
Kerberos trust Do 
NOT allow 
unsecured 
communication witti 
untrusted clients. 

Not at this time 






Server (Request 
Security) For 

ail IP tralSc, always 
request security 
using Kerberos trust. 
Allow unsecured 
communication with 
clients that do not 
respond to request. 

Not at this time 
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Risqulrenient 

□ 

PawifFail 

Comniunt 

(U) MIOG 35-9.3. l(4Ka): User Identification: The ADPT system 
shall control and limit user access based on identification and 
authentication of the user. The identity of each user will be 
established positively before authorizing access. User identification 
and password systems support the minimum requirements of access 
control, least privilege, and system integrity. 

Pass 


fU) MIOG 35-9.3. U4Xb): 1 I 


Fad 

1 




b2 




b7E 
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Requirement 

fhnB/Fitit 

Comment 

(U) MIOG 35-9.3.1(4Xe): Access Control - For systems operating in 
the System Hi^ Security Mode of Operation, this may be 
implemented with discretionary access control techniques; through 
measures such as file passwords, access control lists, disk enciyption 
or other techniques, as defined in the approved system security plan. 
For ADPT systems opetating in the compartmented or multilevel 
security mode, mandatoiy access control (MAC) is required. MAC is 
a means of restricting access to information based on labels. A user’s 
label indicates what infotmation the user is permitted to access and 
the type of access (e.g., read or write) diat the user is allowed to 
petfoim. An object's label indicates the sensitivity of the information 
that the object contains. A user's label must meet specific criteria 
defined by MAC policy in order for the user to be permitted acc^ 
to a labeled object. This type of access control is always enforced 
above any discretionary controls implemented by users. Printed: 
01/16/96. 

Pass 


(U) MIOG 35-9.4.2(2Xd): User accounts that have been inactive for 
over 90 days will be suspended. The person responsible for 
adininistering the access control mechanism is authorized to reinstate 
such accounts iqi to 180 days overall. User accounts that have been 
inactive for 180 days will be deleted and may only be reissued by the 
person authorized to approve access who is identified in the access 
control criteria and only to an individual who has been authorized 
access. 

Pass 


(U) ElOJ 2640.2D 18.a. [Department IT systems that use passwords 
as the means for authentication shall implement at least the following 
minimum features:] Require the system administrator to issue initial 
passwords. 

Pass 
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Requirement 

Puss/PaU 

Comment 

(U) DOJ 2640.2D 18.b [Department IT systems that use passwords 
as the means for authentication shall implement at least the following 
minimum features:] Require technical implementation to siqrport the 
foUowina: 


Fail 





Fail 



Pass 

b7E 


Pass 



Fail 


(U) DOJ 2640.2D 18.g. [Department IT systems that use passwords 
as the means for auOientication shall implement at least the following 
minimum features:] Disable user accounts after no more than four 
consecutive invalid attempts are made to supply a password, and 
require the reinstatement of a disabled user account by an 
administrator. 

Pass 
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WINDOWS 2000 IDENTIFICATION AND AUTHENTICATION TEST SCRIPTS AND RESULTS 

(U) Test Case IA-02: Test Password Requirement for System Access 

(U) Description: This test confirms that the password belonging to that UserlD is required for authentication and that any new password has to 
conform to requirements. It also checks that no password caching exists on the woricstations examined. 

(U) Preparation: r^ystem workstations shall be powered on, and lo^d in using the test user account created in the standard manner for the 
system, and made available to the testing staff. For Step 3, the system administrator must logon to one or more of each workstation type, as 
determined by baseline version.. Step 3 requires the examination of the local workstation registry. The system admiitistrator should backup the 
registry if he/she is concerned about possible r^istry corruption during tins test 
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step 


Procedure 


fixpuettHtOuteanw 

Date 

Actual Outcome 

1 

Testing staff shall logon to the test 
account, using the temporaty 
password 

Test person shall enter and confirm 
new password that satisfies 
requirements. 

Test person shall attempt to logon 
using misspelled passwords more 
than the maximum number of times 
allowed ( 4). 

Administrator shall reset password 
to default after login failure. 

Testing staff shall logon to the 
network using the new account and 
a new valid password. 

Repeat, entente a different valid 
password and confirm h. 

User should be required to change 
password on first attonpt after reset 
Test person using new account created 
should be prompted to change password 
Account should be locked if maximum 
number of attempts is exceeded 
Ix^on after restoration should be 
successful 

Attempting more than one successful 
change to a password in one day should 
fail (Repeated changes to return to a 
favorite password should be 
discouraged.) 

8/23/02 

As expected 


( 56 ) 




System Security Plan (SSP) 

DCS 3000 

Appendix F - Pre-Test Results and Finding 



( 57 ) 




t * 


System Security Plan (SSP) 

DCS 3000 

Appendix F - Pre-Test Results and Finding 




At each Windows NT woiiistation 
used in the previous steps, the SA 
shall lc@ on as an Administrator. 


Under no circumstances shall passwords 8/23/02 
be cached so to defeat (heir required use 
during system logon. However, local 


The SA win run the R^tiy Editor logon may be sfynchronized wilfa the 


program (regedh or regedt32) and 


network l(%on that is controUed by a 
X accredited server identification and 
I authentication mechanism. 

lute fonowing should be found for 


Analysis of Results : Password filtering was not turned on for the workstation or die st 
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MM— 

Requirement 


Comment 

DOJ 2640.2D 17.c. [Department systems shall:] Comply with the 
Department password management policy. 

Fail 

Does not comply with DOJ standards. 

DOJ 2640.2D 18.b. [Department IT iQ'stems that use passwotxls as 
the means for authendcafion shall implement at least the following 
minimum features:] Require technical implementation to support the 
following: 

Fail 

1 

b2 

b7E 
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L.O Introduction 


This System Security Plan (SSP) documents the security policies and procedures for the 
DCSNET information system at Quantico. This plan establishes the approved operational 
baseline and configuration and is the basis for certification and accreditation of DCSNET. 


1.1 Security Administration 

1.1.1 System Inform ation 


Information System Name 

DCSNET 

Information System Number 

N/A 

Date of Plan 

1/30/04 

RevisionA^ ersion 


TSABI Number 

N/A 

Web Location for Documentation 

N/A 

Status 


Project ID 

N/A 

Deployment Installation Date 


Certification Test & Evaluation Date 


Required Operational Date 



1.1.2 Key System Points of Contact 


System Owner 

Name 

1 ^ 

Organization 

FBIA’ICTU 

^ — 1 

Commercial Phone: 


b6 

ISSO 

Name 

1 

Organization 

FBmCTU 

Commercial Phone: 




System Administrator 

Name 



Organization 

EBI/TICTU 

Commercial Phone: 


1 


Certification Team Lead 

Name 

J 


Organization 

Security Division/lAS/CU | 

Commercial Phone: 



Security Certification Official 

Name 


Organization 

Security Division/IAS/CU/Unit Chief 

Commercial Phone: 

1 1 
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Certification OfiBcial 


o 


Q 



( 5 ) 




1.13 Security Organization 

The Switch-Based Intercept Team within the Telecommunications Intercept and Collection 
Technology Unit (TICTU) oversees all administration and security concerns for the network. See 
Attachment A for an organizational chart. 

1.2 Mission 

The mission of the FBI’s TICTU is the development, deployment, and support of access and 
collection technology to perform lawfully authorized electronic surveillance (ELSUR) of 
telecommunications services. The TICTU is responsible for providing equipment to the field, 
troubleshooting problems with equipment and systems, providing training to field office users, 
tracking needs of the field to identify new ELSUR requirements, and serving as the FBI’s 
technical liaison with telecommunications service providers. . 

1.2.1 Purpose and Scope 

The Digital Collection Systems Network (DCSNET) is a transport mechanism for moving 
CALEA CDC and streamed CCC data fi-om the service provider sources to the proper FBI Field 
Office destinations 


1.2.2 Supported Projects 


Project Name 

Classification & 
Compartments 

DCS-3000 

Unclassified 


Project POC | 

b6 

b7C 


1.2.3 Information System Usage 


1 1 Briefing Boards 

1 1 Network Management pT| Other: 

I 1 Communications 

1 1 Presentations Data Transmission 

j Collaborative Computing 

1 1 Software Development 

I 1 Database 

1 1 Prototyping 

1 1 Data Release 

1 1 Signals Processing 

1 1 Email 

1 j Spreadsheets 

1 1 Image Processing 

PI Web 

1 [ Mapping 

1 1 Word Processing 
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2.0 Secure Facility Description 

2.1 Facility Layout 

DCSNET routers will be housed in each of the Field Offices. 

2.2 System Layout 

Facility drawing will be requested from each office as frie routers are installed. These drawings 
will be put into Attachment B in this dociunent. 

2.3 Physical Environment 


Is the secure faciUty accredited or 
approved to process and store information 
at the level covered by this SSP? 

Q Yes Q No 

Who accredited or approved the fiicility? 


Provide CITE Nbr & DTG or 
Date of approval letter. 


State the classification and level 
(compartment) approved for the frcility. 

1 1 Secret SCI Others: 

1^ Top Secret [~| SI 



Is the system approved for unattended 
processing? 

Q Yes Q No 

Is the facility approved for 24-hom' 
operation? 

□ yc Qno 

Is the facility approved for Open or 
Closed storage? 

1 1 Open storage Q Closed storage 

Items approved for Open Storage 

[List] 

Items restricted to Closed Storage 

[List] 

Are classified and lower classified 
systems co-located within the facility? 

If "YES", provide a narrative below 
discussing the separations between the 
systems. 

Q Yes Q No 




2.3.1 Access to Physical Environment 

23.2 Separation of SCI and Unclassified Systems 

EKISNET equipment is unclassified and is not collocated wifii classified equipment 
2.4 


TEMPEST 



3.0 System Description 


3.1 Summar y 

The I I cnnsists of Cisco, 

Field QfiRces together through 

3.2 System Diagram 


ig Cisco lOS 12.2(15), that connect the 
twork backbone. b 2 

b7E 


The| |is made up of T 1 connections to each field ofiSce firom| |private 

(not mtemet connected) backbone. The fully meshed nature of this arrangement allows each field 
office to con nect direc tly to every other field office, thus increasing the speed and reliability of 
the network. | | backbone eit^loj^s the MPLS VPN protocol to ensure that FBI traffic is 

separated firom all othW traffic on the backbone. The FBI controlled routers use IPSEC AES 
encryption to further secure the data. See Attachment C for a Network Block Diagram. 


3.3 Personnel Security 

Only administrators within TICTU will directly access the routers. 

3.4 Non-US Citizens 


3.5 Data Processed 


3.5.1 Classification and Compartments 


Unclassified 

□ s. 

1 1 Confidential 

□ ■nc 

1 1 Secret 


1 1 Top Secret 


1 1 Other: 

1 1 Other: 


3.5.2 Dissemination Controls 



n 

For Official Use Only 


ORCON 

0 

SBU 



NOFORN 


TK 

G 

LES 


= 

Rel To: 

— 

Other: 




— 


— 
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3.6 Confidentiality, Integrity, and Availability Goals 
Confidentiality 


1 1 Basic 

1 1 Medium 

^Higji 

Integrity 

1 1 Basic 

p~| Medium 

Qffigh 

Availability 

1 1 Basic 

Medium 

Qnigh 


3.7 Tier Designation 


QTierl ^Tier2 

Q Tier 3 Q Tier 4 

3.8 System Concept 



p 1 Dedicated 

1 1 Compartmented 

1 1 System High 

1 1 Multi-Level 


3.9 Interconnection Interface Description 
3.9.1 Direct Network Connections 

This system does not connect with any other system. 

X This system connects with the following netwotk(s) or system(s): 


System Name 

Classification & 
Conq>artments 

Accredited By 

DCS-3000 

Unclassified 















( 10 ) 








o 


9 


3.9.2 Connectivity Management Procedures 

Field Office requests fo r connectivitv t o DCSNET are made to flie E)CSNET system owner. The 
system owner, currentlyl Idetermines the appropriateness of the request If approved, 

the system ovmer tasks flV6 SySlSM fldftiinistrator and ISSO to coordinate the new installation. 

3.9J3 Interconnection 

The DCSNET router connects to a switch or hub that is part of the DCS-3000 system. Both 
systems are imclassffied, so no Controlled hiterface is required. 

3.9.4 Connectivity Procedures 

3.9.5 Controlled Interface Requirements 

DCSNET will only connect with systems of equal classification and will not require controlled 
interfaces. 

3.9.6 Data Flow Diagram 

3.9.7 Telecommunications Security 

The routers encrypt the data transmitted over the DCSNET using IPSEC AES encryption 
algorithms. The routers use a pre-shared encryption key that is changed every 6 months. 

3.9.8 Networking 


— 

LAN Type: 

Topology: 

- 

NSC Line FUter 

Speed: 

Cabling: 

- 

Apple Local Talk cabling 

- 

Router 

Make: 

Model: 

- 

Fiber optic cabling 

0/S Version: 

- 

FDDl 

- 

Hub 

Make: 

Model: 

- 

ATM 

0/S Version: 

- 

Cabling located in conduit 

- 

Bridge 

Make: 

Model: 

- 

Plenum rated cabling: Location; 

O/S Version: 

- 

Other: 

- 

Modem 

Make: 

Speed; 

- 

Other: 


3.9.9 Indirect Connections 

X This system does not accept or process data stored on any other systems. 

This system accepts and processes data stored on media created by with the following 

network(s) or system(s): 


b6 

b7E 
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System Name 


Classificadon & 


Accredited By 





X This system does not share or distribute data to any other systems. 

Data stored on media created or used on this system is distributed for use by the following 

network(s) or system(s): 
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4.0 Hardware 

4.1 Hardware Listing 

The equipment used for DCSNET are all Cisco 2610XM routers with 96MB Flash memoty. See 
Attachment E - Equipment List for full list with locations and serial numbers as they are installed 
to the field. 

4.2 Custom-Built Hardware 

4.3 Configuration Management 

See paragraph on the 7.5.3 Configuration Management Program 

5.0 Software 

5.1 Software Listing 


Vendor 

Software 

Version 

Cisco 

lOS 

12.2(15) 











5.2 Configuration Guides 

5.3 Allowed Services and Protocols 

5.3.1 Internal 

The routers do not filter any ports or protocols for the data passing through the DCSNET. 

5.3.2 External 

SSH is enabled on the routers for remote management 
5.3J Protocols 

The routers do not filter any ports or protocols for the data passing through the DCSNET. 

5.4 Mail System 

There is no Mail system on DCSNET. 

5.5 Foreign Software 

There is no foreign software used on DCSNET. 

5.6 Software with Restricted Access or Limited Use Requirements 

Configmation software to manage the Cisco routers and VPN configuration requires use of an 
administrator password. This password is not stored in plaintext and is not displayed in plaintext 
within the configuration file. 

5.7 Configuration Management 

See paragraph on “7.5.3 Configuration Management Program” 




o 


a 


6.0 Data Storage 

No data is stored on the routers. The routers contain a flash memory for configuration files. 

6.1 Media Types 
None 

6.2 Media Handling 

No media is used within DSCNET. 

6.3 Backup and Restoration Process 

The administrators in Quantico will maintain copies of the configuration files for each router. 
These copies will be obtained through the network using SSH. 

6.4 Backup Protection 

6.5 Disaster Recovery 
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7.0 Security Requirements 

7.1 Threats & Vulnerabilities 

7.2 User Access and Operation 

DCSNET does not support individual general users. Only administrative users have access to 
DCSNET. All access controls listed in Section 7.2 and its subsections pertain do 
administrative/privileged users only. 

7.2.1 Access Controls 

Access will require a username and password. A second password will be required to enter the 
administrator mode. 

7.2.2 Account Procedures 

Administrators are given a userE) and password for basic access to the router, based on a justified 
need. Once personnel have gained formal approval to access systems within TICTU, approval for 
DCSNET administrative access is based on the discretion of the system owner. 

7.23 Authenticator Procedures 

7.2.4 System Users 

There are no general system users. 

7.2.5 Privileged Users 

All privileged users have their own unique UserlD and unique password. 

X Some privileged users share a UserlD and password. (Explain below) 

Some privileged users share a password. (Explain below) 

Due to the design of the software, there can only be one password to enter the administrator 
mode. 

7.2.6 Password Changes 
Password will be changed every 6 months. 

7.2.7 Password Generation 

Passwords are generated by the administrators. 

7.2.8 Log-on Error Handling 

Administrators will be given 3 attempts to login to the router before their SSH session is 
terminated. 

7.2.9 Account Lockout Handling 

Due to the undesirability of administrative accounts beii^ locked out, the roxrters do not support 
this feature. 

7.3 User Groups and Access Rights 
73.1 User Groups 

All users are administrators. 

7.3.2 Non-data File Access 

All administrators can change the configuration files. 

73.3 System Access Rights 
All users are administrators. 





Q 


7.3.4 Audit Logs 

7.3.5 Privileged Users 

73.6 Privileged Users Guides 

7.3.7 Technical Access Mechanisms 

Administrative access to router information and configuration requires the use of two passwords; 
one which is unique to the individual administrative users, and another common password which 
allows access to change the configuration of the router. 

7.3.8 Discretionary Access Control 

N/A 

7.3.9 Need-to-Know Controls 

N/A 

7.3.10 Mandatory Access Controls 

N/A 

7.3.11 Discretionary Access Control Augmentation 

N/A 

7.4 Security Support Structure Protection 

7.4.1 General 

System access requires physical access to a node on flie network. All n^ork nodes are located 
in physically secure areas. 

7.4.2 Trusted Communications 

N/A 

7.43 Validation Procedures 

The procedures followed to validate the security posture of DCSNET can be found in Attachment 
I - DCSNET Certification Test Plan. 

7.5 Security Features and Assurances 

7.5.1 Incident Reporting 

7.5.2 Remote Access 

Remote access is allowed through the network using SSH. Administrators can login with a 
username and password. 

7.53 Configuration management Program 

The administrators handle configuration management. Administrators will setup new routers 
using a baseline configuration that contains all die security features. Changes to any router 
configurations are logged in a database maintained at Quantico. All DCSNet system changes are 
approved by the Network Administrator, and major network changes are additionally approved 
by the ISSO. 

7.5.4 System Assurance 

The procedures followed to validate the security posture of DCSNET can be found in Attachment 
I - DCSNET Certification Test Plan. 

7.5.5 Unique Security Features 
None. 
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7.5.6 Recovery Procedures 

7.5.7 After Hours Processing 

DCSNET equipment is designed and canfigured to operate 24x7. 

7.5.8 System Start-Up 

DCSNET equipment is designed and configured to operate 24x7. 

7.5.9 Compliance-Monitoring Program 

The procedmes followed to validate the security posture of DCSNET can be found in Attachment 
I - DCSNET Certification Test Plan. 

7.5.10 Non-Repudiation 

7.5.11 Transaction Rollback 

Not Applicable. DCSNET does not store data. 

7.6 Auditing 

7.6.1 Auditing Procedures 

7.6.2 Notification Banner 
7.6J3 User Accountability 

7.6.4 Audit Protection 

7.6.5 Audited Information 

7.6.6 Audited Activities 

7.6.7 Audit Review 

7.6.8 Discrepancy Handling 

7.6.9 System Verification and Testing 

The procedures followed to validate the security posture of DCSNET can be found in Attachment 
I - DCSNET Certification Test Plan. 

7.7 Marking and Labeling 

7.7.1 System Hardware 

7.7.2 Storage Media 

N/A 

1.73 Printout, Hardcopy 

N/A 

7.7.4 Internal Labeling 

N/A 

7.7.5 Exceptions 
None. 
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7.8 Maintenance Procedures 

7.8.1 Genera! 

7.8.2 Uncleared Personnel 
7.83 Logs 

7.8.4 Maintenance Software 

7.8.5 Remote Diagnostics 

7.9 Sanitization and Destruction 

7.9.1 Hardware 

DCSNET hardware is unclassified. 

7.9.2 Data Storage Media 
DCSNET does not use storage media. 

7.10 Software Security Procedures 

7.10.1 Procurement 

Only approved, vendor-supplied software and firmware is used on DSCNET equipment 

7.10.2 Evaluation 

A test bed consisting of several routers has been created for testing purposes. All new software 
loads and major changes to configurations are tested in the lab. This test bed simulates the live 
network using the same hardware and software. Changes are tested over the course of a week, if 
time permits, before being loaded onto the live systems. 

7.10.3 Malicious CodeA'irus Protection 

7.10.4 Data and Software Integrity Procedure 

DCSNET does not store data. Vendor-supplied software and firmware integrity is ensured by 
comparing hash signatures of procured software and firmware with vendor supplied hashes for 
that software and firmware. 

7.11 Media Movement 
N/A 

7.11.1 Media Introduction and Removal Procedures 

N/A. 

7.11.2 Data Copying, Reviewing, and Releasing Procedures 

N/A 
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7.12 Hardware Control 

7.12.1 Transfer 

7.12.2 Relocation 

7.12.3 Release 

7.12.4 Maintenance 

7.12.5 Introduction of Hardware 

7.13 Web Protocol and Distributed/Coilaborative Computing 

7.13.1 Web Server/Clients 

N/A. 

7.13.2 Mobile/Executable Code 

N/A. 

7.13J Collaborative Processes 

N/A. 

7.13.4 Distributed Processes 

N/A. 

7.14 Wireless Devices 

DCSNET does not use or support the use of wireless devices. 

7.15 PKIUse 
DCSNET does not use PBCI, 

8.0 Security Awareness Program 

8.1 Program Description 

Security Awareness Training is provided by the Security Division and is required by all FBI 
employees. 

8.2 Users Guides 
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9.0 Interconnection Security Agreement 
Not Applicable. 



o 


o 


10.0 Memoranda of Agreement 
Not Applicable, 
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11.0 Availability 

11.1 Restoration Procedures 

Current system configurations are maintained in a management database. In the event of a corrupted or malfunctioning 
router, a new router can be configured and sent out within hours to replace the old one. All other DCSNET equipment is 
maintained by Sprint with a 4 hour on-site Service Levd Agreement to replace an malfunctioning hardware. 

1 1.2 Communications Back-up 

Plans are being discussed to setup dial-up lines In the event of a primary circuit failure. Communications over this line 
would be encrypted to the same standards as the primary circuiL The dial-up circuits should fail-over automatically, 
keeping network availability high. 

11.3 Power Back-up 

Offices that don't have battery backups are being supplied with a UPS to power the router and any directly connected 
hardware (CSU/DSU, smartjack, etc.). It is the responsibility of each field office to maintain the UPS and be sure backup 
generator power is available in the event of an extended power outage. 

11.4 Denial-of-Service Prevention 

As there is no public connection to the DCSNET, and due to the vpn nature of the Sprint network, DOS attacks are not 
applicable. Even so, access-lists are applied to external interfeces to prevent any unauthorized traffic from affecting the 
router. 


1 1.5 Priority Process Protection 
Not Applicsable. 
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12.0 Exceptions 
Not Applicable. 



13.0 Glossary of Terms 




Attachment A - DCSNET Org Chart 
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Attachment B - System Layouts 
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Attachment D - Equipment List 



ir^w jnr ^ ^ ^ ^ 


Router 

Cisco 

2610XM 

96MB Flash 
ROM 

Jmx0725L54V 

ERF 

Router 

Cisco 

2610XM 

96MB Flash 
ROM 

Jmx0726L00T 

Pittsburgh 
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FBI IT COOP Critical Systems by Branch 

FBI IT COOP Critical Systems by Branch / Office 

The following table summarizes the FBI IT COOP Critical Systems List. It presents the 
number of critical systems by branch and their known recovery capabilities. All projects 
that were not designated Critical by Branch EADs (represented witih capability = 0) were 
removed from this list. The details to support this summary table are presented in the 
tables on the following pages. The systems with sub-systems are listed in boldface with 
the sub-systems indented with grey fill-in. The sub-systems are not counted in the overall 
totals for each branch. 



1 1/09 System Count 152 


Systems Made into Sub-Systems 

26 

Systems Removed from List 

4 

12/05 System Count 

122 


For a detailed tracking of the changes made between the 1 1/09 list and the 12/05 list refer 
to the provided Change Control Log located in Appendix - A. 


ALL mFORHATIOU COHTAU-IED 
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